Mobile device malware may still be far behind when it comes to the prevalence of threats crafted for traditional PC systems, but threat actors are seeking ways to compromise these important devices we use on a daily basis.

Google, cybersecurity firms, OEMs, and Android developers are fighting to keep our devices safe, but little can be done if they are purchased with vulnerabilities already in tow — which researchers from IoT and security firm Kryptowire say is happening now.

Speaking at DefCon in Las Vegas last week, Kryptowire researchers said that 25 Android smartphone models contain a slew of vulnerabilities which may expose the user to attack from the time of purchase.

After analyzing Android vendors and carriers from the low-end to flagship, more expensive handsets, the team discovered bugs ranging from minimal risk to critical problems in pre-installed apps and firmware.

As reported by sister site CNET, Kryptowire uncovered a total of 38 different vulnerabilities in pre-loaded applications and the firmware builds of 25 Android handsets, 11 of which are sold in the United States.

The researchers said their research was primarily based in the US but the impact of these bugs is worldwide.

"All of these are vulnerabilities that are prepositioned," Angelos Stavrou, Kryptowire CEO told attendees at the conference. "They come as you get the phone out the box. That's important because consumers think they're only exposed if they download something that's bad."

Android builds and pre-installed apps vary based on smartphone models and OEMs. As a result, a security flaw may impact an Essential smartphone, for example, but not an LG model in a similar price bracket.

The security flaws include issues present in ZTE ZMAX Pro phones which allow text messages to be exfiltrated, edited, or sent without user permission; as well as two bugs in ZMAX Champ pre-installed apps which can be utilized to force an "unfixable" boot recovery loop or factory reset.

A vulnerability in the Sony Xperia L1 permits attackers to covertly take screenshots; a similar issue was found in the Nokia 6 TA-1025, and in the LG G6, a particularly nasty vulnerability can lock a user out of their own phone — even in safe mode — and the user will be forced to factory reset in recovery mode.

"The user may be able to unlock the device if they have ADB enabled prior to the locking of the screen and can figure out how to unlock it which may be difficult for the average user," the researchers added. "This acts as a Denial of Service attack and results in data loss if a factory reset occurs."

Other security flaws include another LG G6 problem which can be exploited to gain the kernel log, a pre-installed app in Essential phones which allows any app on the device to wipe all user data via a factory reset, and in the Asus ZenFone 3 Max, attackers can utilize a flawed pre-installed app to obtain system data or Wi-Fi passwords — as well as execute arbitrary code through a wireless connection.